The Market Ticker
Commentary on The Capital Markets- Category [Flash]

Head's Up folks!

OpenSSL versions 1.0.1 through 1.0.1f contain a flaw in its implementation of the TLS/DTLS heartbeat functionality (RFC6520). This flaw allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL libssl library in chunks of 64k at a time. Note that an attacker can repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the intended secrets.

This is extremely serious folks.

If your systems are vulnerable to this and Internet-facing you must assume that the private keys involved in your SSL-enabled applications have been compromised and are no longer secret.  This means that your site can be trivially spoofed and will appear to be legitimate to a client connecting to it even though it is not.

This is very, very bad.  You cannot simply upgrade OpenSSL and be done.  You must also either revoke and have re-issued or revoke and re-issue yourself all keys that were formerly issued and potentially exposed.  In addition the public CAs may be impacted as well since they have internet-facing services, which means that their keys may not be secure either.

Until you have confirmation from the CAs you use that their keys were either never on a machine with a vulnerable implementation or have been revoked and then re-generated and re-issued (which requires revocation and re-issue of their keys, and that means they need to re-issue your key as well since once they revoke their key yours won't validate any more!) you must assume that the public CAs are also compromised.

I have patched my servers here and will be revoking and re-issuing all my internal-use keys including my private CA.  For those of you with Internet-facing servers that use SSL you have a problem if your systems are vulnerable or if the entity that issued your SSL certificate was/is vulnerable as you must assume your CA has been compromised until and unless you have confirmation that they never were.

DO NOT TAKE THIS VULNERABILITY LIGHTLY -- IT HAS BEEN IN THE OPENSSL CODE FOR ROUGHLY A YEAR IN COMMON USE AND LONGER IN DEVELOPMENT VERSIONS AND THE PRESENCE OF EXPLOITS "IN THE WILD", ALONG WITH THEIR USE, MUST BE PRESUMED.  THERE IS NO RETROSPECTIVE LOG ANALYSIS THAT CAN BE DONE TO DETECT EXPLOITATION AS NO ABNORMAL TRACE IS LEFT BY THE EXPLOIT ALTHOUGH ATTEMPTS TO EXPLOIT THE BUG, IF YOU ARE LOOKING FOR THEM ON A FORWARD BASIS, CAN BE DETECTED IF YOUR SECURITY SUITE IS TAUGHT TO LOOK FOR THE SPECIFIC SEQUENCE OF REQUESTS INVOLVED IN ATTEMPTING EXPLOITATION.

View this entry with comments (registration required to post)
 

Main Navigation
Full-Text Search & Archives
Archive Access
Get Adobe Flash player
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.

NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.

The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be reproduced or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media or for commercial use.

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.